Hello community,
In some current customer environments, I have often been asked how the network hierarchy should be managed now that the Network Hierarchy app is no longer available after the update to 7.4.3 FP7 for example. This app only works in QRadar versions up to 7.4.3 FP5.
Why?
Since QRadar Release
7.4.3 FP6+ some older QRadar Apps like for example the
Network Hierarchy Management App built on Centos6 are
not running anymore in those deployments.
Here's a link to more details about this dependency:
https://www.ibm.com/support/pages/node/6514023
What does that mean?
Before upgrading your QRadar Deployment to 7.4.3 FP6+ you'll have to make sure, that those Apps are uninstalled or updated with an UBI based App, to avoid unexpected errors during/after the upgrade process.
Unfortunately there is no update for the Network Hierarchy App and it's necessary to uninstall this app :(
QRadar API
By this time at the latest, you have to deal with the
QRadar API in order to manage the network hierarchy more conveniently :)
It is also helpful to deal with python or powershell and setting up a development environment. As an admin, it is also necessary to acquire these skills in order to be able to create helpful scripts to use QRadar in a clever and smart way.
in this blog post I assume that a corresponding development environment already exists. In the first step my focus is on, to show an alternative "easy" approach to maintain the network hierarchy using the QRadar API.
What is required to manage the network hierarchy?
Step 1
Basis is a csv file containing all relevant network objects. The values are separated by commas and entered in the order according to the heading.
Step 2
You need to convert the CSV file to a JSON string file. By using some helpful Python libraries and functions, this goal is also achieved relatively easily :)
Pyhton Snippet
Here is a simple idea or procedure to convert a csv file to a json file. Depending on the requirement, this script can be used as a template to extend or further optimization.
Importing the Network Hierarchy JSON File
Here, too, there are several options to proceed...
Option 1
You need access to the cli as root. Then the json file is copied to an appropriate directory and can be executed with the following command:
curl -S -X PUT -H 'Content-Type: application/json' -H 'Version: 15.1' -H 'SEC: fa7cb8f5-3950-XXXX-XXXX-XXXXXXXXXXXX ' -H 'Accept: application/json' --data-binary @/store/IBM_Support/standard-network_current.json 'https://<Console IP>/api/config/network_hierarchy/staged_networks'
Here is a link to the regarding IBM Document with further details:
https://www.ibm.com/support/pages/qradar-how-export-and-import-network-hierarchy-information-using-qradar-api
Option 2
Open the json file with an editor and then copy it to the clipboard with ctrl-c and then paste it directly into the QRadar API with ctrl-v
After the import, a "Deploy Changes" must be executed.
I hope this post will help anyone looking to get started and learn more about using the QRadar API.
#API#QRadar